Windows Authentication with Preview 5

Topics: Web Api
Nov 4, 2011 at 1:34 PM

I am trying to enable Windows Authentication and I can't seem to get it working.  At this point, I am just trying to to identity established so I can make some security decisions. I am configuring it with the following code:


            var config = new HttpConfiguration
                         {
                             EnableTestClient = true,
                             CreateInstance = (type, context, message) => container.Resolve(type),
                             ReleaseInstance = (context, obj) => container.Release(obj),
                             Security = (uri, binding) =>
                                        {
                                            binding.Mode = HttpBindingSecurityMode.TransportCredentialOnly;
                                            binding.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
                                        }
                         };


            RouteTable.Routes.SetDefaultHttpConfiguration(config);

 

I also have a PrincipalPermission attribute on my service class:

 

namespace Turner.Foundation.Environment.Services
{
    [ServiceContract]
    [PrincipalPermission(SecurityAction.Demand)]
    public class PackageService
    {
        private readonly FoundationContext _context;

        public PackageService(FoundationContext context)
        {
            _context = context;
        }

        [WebGet(UriTemplate = "?name={name}&system={system}&solution={solution}&packageType={packageType}")]
        public virtual IEnumerable<Package> Get(string name, string system, string solution, string packageType)
        {

When I try to access that endpoint, I get a SecurityExpection with "Request for principal permission failed." as the message.  I have tried many variations on code and settings and this is the closest that I can get.  Do I need something to to get the right Identity set?  When this exception occurs, the Identity is a System.Security.Principal.GenericIdentity.

 

Thanks,
Rob Cannon 

 

Nov 4, 2011 at 11:23 PM

Hi Ron,

You can fish out the ServiceSecurityContext from the HttpRequestMessage.Properties bag if you can change your method to take in additionally HttpRequestMessage.

[WebGet(UriTemplate = "?name={name}&system={system}&solution={solution}&packageType={packageType}")]
        public virtual IEnumerable<Package> Get(string name, string system, string solution, string packageType, HttpRequestMessage request)
        {

       ServiceSecurityContext context = request.Properties["Security"] as ServiceSecurityContext; 

     }

Currently, we don't have layer to set the current thread's identity with that identity yet. If you want to make that work, you can try to register a custom OperationInvoker via WCF.  

Hope this helps.

hongmei